Data Breaches Reported by Cooper Aerobics, Colorado Ophthalmology Associates, and Des Moines Orthopaedic Surgeons

Cooper Aerobics Announces 124K-Record Data Breach

Cooper Aerobics, representing Cooper Clinic, Cooper Aerobics Enterprises, and Cooper Medical Imaging, in Texas, has informed 124,341 persons about the exposure of some of their protected health information (PHI) in a cyberattack at the beginning of 2023. It is not mentioned in the notification letters when the attack happened. Following the investigation and file evaluation, Cooper Aerobics discovered on December 8, 2023, that files comprising the personal data and PHI of patients were possibly extracted from its system on February 3, 2023.

Patients were informed about the potential compromise of the following data elements: name, address, telephone number, email address, birth date, debit or credit card number (including financial account and routing number, expiration date), Social Security number, tax ID number, passport number, driver’s license or government ID, username and password, and health data (such as medical record/patient account number, prescription details, healthcare provider, and medical treatments), and medical insurance data.

Cooper Aerobics began informing the impacted persons on January 5, 2024 and stated it regularly examines and alters its procedures and internal controls to safeguard against unauthorized access and will still do so.

6,000 People Affected by Colorado Ophthalmology Associates Ransomware Attack

Colorado Ophthalmology Associates (COA) has lately reported a ransomware attack that was identified on November 14, 2023. Data extraction frequently occurs in ransomware attacks, yet the forensic investigation did not find any proof of data theft. COA stated that automated encryption was used in the attack. The electronic health record files for patient consultations or tests done from April 10, 2023, to November 14, 2023 were lost.

The forensic investigation revealed that the attack started on October 4, 2023, and stopped on November 14, 2023. The types of data compromised in the attack were restricted to names, addresses, birth dates, telephone numbers, email addresses, insurance details, dates of service, types of services, diagnoses, illnesses, prescription medications, examination results, medicines, other treatment details, and Social Security numbers. The incident report submitted to the HHS Office for Civil Rights indicated that up to 6,020 patients were impacted.

Data Breach at Des Moines Orthopaedic Surgeons in February 2023

Des Moines Orthopaedic Surgeons (DMOS) based in Iowa recently informed 307,864 present and past patients about the exposure of some of their PHI in a cyberattack more or less one year ago. DMOS mentioned that the incident happened on or about February 17, 2023, and permitted an unauthorized third party to view and/or steal files that contain the sensitive data of DMOS patients. DMOS stated the breach was because of the failure of one vendor.

DMOS noted it quickly controlled the threat and had third-party cybersecurity specialists check out the incident to find out the scope of the compromise. Based on the breach notification letters, DMOS spent a lot of time and effort evaluating the scope of the incident and finding out what data could have been accessed by unauthorized users. It was confirmed on December 6, 2023, after 10 months, that the patient data included PHI.

The types of information affected included names together with at least one of these: Social Security number, birth date, passports, driver’s license numbers, state ID numbers, direct deposit bank details, medical data, and medical insurance details. Notification letters were sent by mail on January 22, 2024, and those who had their Social Security numbers exposed were provided with credit monitoring and identity theft protection services for free.

67,000 Michigan Orthopaedic Surgeons Patients Affected by Email Account Breach

Michigan Orthopaedic Surgeons informed 67,477 patients that unauthorized individuals got access to some of their PHI held in an email account. The healthcare provider detected suspicious activity in the email account on or about June 29, 2023. A third-party forensic security firm investigating the incident had confirmed that an unauthorized individual accessed the email account from May 5, 2023 to June 21, 2023.

A complete analysis of the account was started, and protected health information was confirmed to be present in the account on October 20, 2023. The types of data differed from one person to another and might have included names along with at least one of these data: birth date of birth, Social Security number, username and password, financial account number, medical insurance details, and medical data, like diagnosis, laboratory results, and prescription details. Individual notices were sent by mail on December 19, 2023, and free credit monitoring services were provided to those whose Social Security numbers were compromised.

Bay Area Heart Center Affected by Business Associate Phishing Attack

Bay Area Heart Center located in St. Petersburg, FL has reported the exposure of patient information in a cyberattack that occurred at the law agency Bowden Barlow Law, P.A., its collections service provider. A worker at the law agency responded to a phishing email, giving the attacker access to a server of the law firm from November 17, 2023 to December 1, 2023. Bay Area Heart Center was informed concerning the data breach on December 27, 2023.

The investigation did not find any evidence that indicate the downloading of data, but the possibility of data theft cannot be excluded. The compromised data included names, full and partial Social Security Numbers, addresses, dates of service, limited claims information, and insurance policy numbers. Bay Area Heart Center’s breach notice mentioned that it takes patient privacy seriously and is equally disappointed about the compromise of its patient files through a third-party vendor. The medical practice is presently re-assessing its work relationship with Bowden Barlow Law. Bay Area Heart Center stated it has provided the impacted patients with membership to a credit monitoring service for one year.